RBAC (Role-Based Access Control) grants permissions by role rather than to individuals one by one: a user is assigned a role (operator, investigator, administrator, auditor), and the role carries a defined set of permissions — which cameras they can view, whether they can export, search, configure, or unmask faces. It is how a surveillance system enforces that people see and do only what their job requires, the principle of least privilege.
In surveillance RBAC is a frontline privacy and security control, because footage is sensitive and the temptation to over-share access is strong. A well-designed scheme separates duties — a guard might watch live feeds but not export, an investigator might search and export with logging, only an administrator can change retention or user accounts, and biometric unmasking might require a separate elevated role. Scoping access by camera, by area, and by function limits both accidental over-exposure and deliberate misuse, and it pairs with the audit trail so that whatever a role permits is also recorded.
The pitfalls are role bloat and the everyone-is-admin shortcut. Giving most users broad access "to keep things simple" defeats the control — the point is that not everyone can pull up any camera or export any clip — and over-broad roles are exactly what enable insider abuse and widen the blast radius of a compromised account. Stale permissions are another trap: access must be removed when people change jobs or leave. Define roles around real job needs, grant the minimum, review them regularly, and back them with logging. This is engineering guidance, not legal advice.
